Clarification about email "Upcoming Let's Encrypt certificate chain change"

May have been a bit quick on the keyboard, as it seems like I actually received the email as well, this morning…

That should be the exact same as above.

If you’re relying on older devices, that does not trust “ISGR Root X1” nor “ISGR Root X2”, and only have "“DST Root CA X3” in their trust store, it may cause problems for these devices.

OR, if you somehow have some certificate pinning in your applications, that are making the certificates depend on the validity of "“DST Root CA X3”, it will likely fail at that timestamp, if you’re not doing anything to mitigate before then.

In other words:

The way the two of you explain your concerns, it sounds like you are NOT depending on the "“DST Root CA X3” at all, and as such, it should not cause any problems for any of you.

However, none of the two of you have shared the actual source code from the application(s), that takes care of the certificate validation, or otherwise provided any references to to the source code (e.g. links to Git repositories), - so it would be tough for the Cloudflare Community (or anyone else), to give a definitive yes / no, based on that specific “lack of information”.

I have seen a lot of people in the past, believing they were doing something, but in reality, it turned out they were not actually doing the things exact as they expected.

Based solely on the explanations, that the two of you have provided above, it should not cause any problems for any of you.

I understand the confusion, especially as the mail I received earlier today, from Cloudflare, started the subject with "[Cloudflare - Action Required] ".

As that may not always be true that action is actually required, a better option for the start of the subject line could eventually have been “[Cloudflare - Action MAY BE Required]”.

2 Likes